mirror of
https://github.com/we-promise/sure.git
synced 2026-04-07 22:34:47 +00:00
0ddca461fc
* Add Pipelock agent security scan to CI Scans PR diffs for leaked secrets and agent security risks. Zero config, runs on every PR to main. * Retrigger CI (v1 action tag now available) * Harden checkout: persist-credentials false Pipelock only reads local git history for diff scanning, no auth token needed in .git/config.
25 lines
454 B
YAML
25 lines
454 B
YAML
name: Pipelock Security Scan
|
|
|
|
on:
|
|
pull_request:
|
|
branches: [main]
|
|
|
|
permissions:
|
|
contents: read
|
|
|
|
jobs:
|
|
security-scan:
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
with:
|
|
fetch-depth: 0
|
|
persist-credentials: false
|
|
|
|
- name: Pipelock Scan
|
|
uses: luckyPipewrench/pipelock@v1
|
|
with:
|
|
scan-diff: 'true'
|
|
fail-on-findings: 'true'
|
|
test-vectors: 'false'
|